With greater awareness about the risks of unsecured privileged accounts allowing broad, anonymous access across the enterprise, privileged account security has become an organizational priority.
The privilege problem is proliferating. Organizations typically have three-to-four times more privileged accounts than employees. And in addition to privileged accounts “with a heartbeat” – those belonging to human users – there are also privileged credentials used by applications to access and communicate with other applications or systems across the network.
While it’s been understood that much of the application-to-application/system conversations from internally-developed applications have been using privileged credentials for this communication, it’s also increasingly common for externally-developed applications to require the same type of access. These IT and business commercial off-the-shelf (COTS) software applications are used for activities like vulnerability management, asset discovery, DevOps or even IT Operations automation. Whether these COTS solutions are installed on-premise, or delivered from the cloud, these processes require privileged credentials to gain entry and access to the systems they’re monitoring, discovering and/or managing.
In fact, COTS applications often require the same level of access to privileged accounts, and use the same powerful credentials (such as Domain) that an IT Administrator or Database Administrator needs to do day-to-day work. For example, vulnerability management solutions, which include patch management and configuration management technologies, need privileged access so that they can alter the operating system and application files and configuration settings, then reboot the asset to ensure changes take effect.
Additionally, many business applications have access to sensitive data, such as personally identifiable information (PII), protected health information (PHI), or cardholder information subject to Payment Card Industry (PCI) security requirements. Privileged accounts are used by these applications for several reasons, most importantly to access sensitive data for use by the application. Therefore, unauthorized access to business application privileged credentials could allow an attacker to perform a major data breach.
With the potential for hundreds and thousands of COTS applications in an enterprise, the magnitude of the security risk becomes clearly significant when taking into account the corresponding number of targets these applications interface with on a regular basis. While the enormity of the resulting attack surface is a major security concern, it’s the business impact of any disruption to these key processes from a compromised, invalidated or out of sync credential that is even greater.
Barriers to better credential management
Many organizations are still not properly maintaining, managing, securing or even tracking the privileged credentials that are used by outside applications to access networks. This is troublesome given the critical functions COTS applications control, such as policy setting, provisioning an SSL certificate, asset discovery, importing and exporting data, identifying configurations and more.
Why aren’t these credentials better managed? For some organizations, they don’t always know the credentials being used, where they’re being used, or even how powerful an individual privileged credential may be. Without automation, it’s cumbersome to manually rotate credential passwords, and if not done properly, can cause unintended consequences such as system instability, applications outages and possibly significant downtime.
For example, when the credential on a target system is changed, it then needs to be updated in all of the applications that may use that credential. So without accurate information and data on the applications, targets and credentials, the security risk of not changing credentials is trumped by the operational risk of possible application downtime. For others, if the privileged credentials associated with COTS applications don’t affect an IT administrator’s daily job, it isn’t often a priority, and it’s “left to another day” and never gets done.
The result? Privileged credentials are usually defined once for each application and reside in applications or scripts, or they are stored in configuration files within networks, servers and databases. With hundreds of privileged credentials for applications to manage manually, and for the sake of operational simplicity, these credentials often remained unchanged. Regardless of the reason for it, unmanaged application credentials end up creating a compelling and powerful target within the environment, and each application becomes a significant threat and potential pathway for cyber attackers.
Putting in place a security mandate
Understanding the risk COTS applications pose to an organization is an important first step, but it won’t be enough to thwart a would-be attacker. It’s time for organizations to implement enterprise-wide security mandates to improve privileged account management, whether those are users with a “heart beat” or simply applications that require privileged access.
First, companies need to identify all of the privileged accounts that exist across their networks. This is usually done through a discovery process that works to inventory the applications that have access to the network organization-wide – including privileged accounts that are no longer used or belong to employees who have left the company – and pinpoint what vulnerabilities exist.
Next, organizations need to stop using credentials that are statically stored in COTS applications, databases scripts, or are stored in cleartext in configuration files as they can easily be captured by attackers. Instead, organizations should be focused on adopting a system to automatically manage, secure and rotate credentialed access to privileged accounts.
There are tools specifically designed to scan the entire IT environment to find privileged user and application accounts, associated credentials and vulnerabilities, as well as solutions that eliminate credentials (passwords and SSH keys) from COTS applications, scripts and configuration files.
The goal is to reduce the risk of unauthorized application credential usage and help to detect and alert on credential usage anomalies, as well as simplify credential management.
Driving security accountability
Collectively, this education and advanced understanding of privileged security vulnerabilities related to COTS applications is a positive development and is influencing strategic discussions about implementing a centralized credential management system that protects all privileged access, regardless if by an IT user, or internal or COTS application.
As part of these discussions, software vendors must be accountable and ask themselves if their applications are accessing information in their customers’ networks in the most secure way possible. Eventually, software providers that have proactively mitigated risks associated with their applications could turn those steps into a competitive differentiator.
When organizations have a better understanding of cyber security threats and increasingly take proactive measures to mitigate risk – and technology vendors do the same – enterprise security becomes a collaborative effort that extends beyond any one vendor or application. Better integration and informed decisions improve the entire technology ecosystem.